Skip to content

Commit c6c4594

Browse files
RedbackThomsonRedbackThomson
authored
Fix ACL for default case (#35)
The Bucket ACL was not being reset back to the default value of `private` when removing the `ACL` value. This pull request ensures that if the user does not specify an ACL, the reconciler does not get caught in a loop trying to update the default grant header (grant full control for the current user) and does not try to set an empty string ACL.
1 parent 830a807 commit c6c4594

File tree

1 file changed

+46
-0
lines changed

1 file changed

+46
-0
lines changed

pkg/resource/bucket/hook.go

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ var (
2828
DefaultAccelerationConfigurationStatus = svcsdk.BucketAccelerateStatusSuspended
2929
DefaultRequestPayer = svcsdk.PayerBucketOwner
3030
DefaultVersioningStatus = svcsdk.BucketVersioningStatusSuspended
31+
DefaultACL = svcsdk.BucketCannedACLPrivate
3132
DefaultPolicy = ""
3233
)
3334

@@ -314,7 +315,42 @@ func customPreCompare(
314315
if b.ko.Spec.ACL != nil {
315316
b.ko.Spec.ACL = matchPossibleCannedACL(*a.ko.Spec.ACL, *b.ko.Spec.ACL)
316317
}
318+
} else {
319+
// If we are sure the grants weren't set from the header strings
320+
if a.ko.Spec.GrantFullControl == nil &&
321+
a.ko.Spec.GrantRead == nil &&
322+
a.ko.Spec.GrantReadACP == nil &&
323+
a.ko.Spec.GrantWrite == nil &&
324+
a.ko.Spec.GrantWriteACP == nil {
325+
b.ko.Spec.GrantFullControl = nil
326+
b.ko.Spec.GrantRead = nil
327+
b.ko.Spec.GrantReadACP = nil
328+
b.ko.Spec.GrantWrite = nil
329+
b.ko.Spec.GrantWriteACP = nil
330+
}
331+
332+
emptyGrant := ""
333+
if a.ko.Spec.GrantFullControl == nil && b.ko.Spec.GrantFullControl != nil {
334+
a.ko.Spec.GrantFullControl = &emptyGrant
335+
// TODO(RedbackThomson): Remove the following line. GrantFullControl
336+
// has a server-side default of id="<owner ID>". This field needs to
337+
// be marked as such before we can diff it.
338+
b.ko.Spec.GrantFullControl = &emptyGrant
339+
}
340+
if a.ko.Spec.GrantRead == nil && b.ko.Spec.GrantRead != nil {
341+
a.ko.Spec.GrantRead = &emptyGrant
342+
}
343+
if a.ko.Spec.GrantReadACP == nil && b.ko.Spec.GrantReadACP != nil {
344+
a.ko.Spec.GrantReadACP = &emptyGrant
345+
}
346+
if a.ko.Spec.GrantWrite == nil && b.ko.Spec.GrantWrite != nil {
347+
a.ko.Spec.GrantWrite = &emptyGrant
348+
}
349+
if a.ko.Spec.GrantWriteACP == nil && b.ko.Spec.GrantWriteACP != nil {
350+
a.ko.Spec.GrantWriteACP = &emptyGrant
351+
}
317352
}
353+
318354
if a.ko.Spec.CORS == nil && b.ko.Spec.CORS != nil {
319355
a.ko.Spec.CORS = &svcapitypes.CORSConfiguration{}
320356
}
@@ -441,6 +477,16 @@ func (rm *resourceManager) newPutBucketACLPayload(
441477
res.SetGrantWriteACP(*r.ko.Spec.GrantWriteACP)
442478
}
443479

480+
// Check that there is at least some ACL on the bucket
481+
if res.ACL == nil &&
482+
res.GrantFullControl == nil &&
483+
res.GrantRead == nil &&
484+
res.GrantReadACP == nil &&
485+
res.GrantWrite == nil &&
486+
res.GrantWriteACP == nil {
487+
res.SetACL(DefaultACL)
488+
}
489+
444490
return res
445491
}
446492

0 commit comments

Comments
 (0)